Date
Severity
Moderately Critical
Vulnerability
Access Bypass
Affected versions
<7.x-1.1

Description

The Node Reference Create module extends the References field widget with an autocomplete that can create the referenced node on-the-fly when a user types a title that does not yet exist.

The autocomplete validation handler proceeded directly to saving the new node without consulting Drupal's standard content creation permission system. Any authenticated user who could submit a form containing a noderefcreate widget could silently create nodes of the referenced type, regardless of whether their role held the required permission.

This vulnerability is mitigated by the fact that exploitation requires an authenticated session and that the site must have at least one content type using a node reference field with the noderefcreate autocomplete widget configured.

Solution

Install the latest version.

If you use the Node Reference Create module for Drupal 7, upgrade to noderefcreate 7.x-1.1:


Reported by

Fixed by

  • Tag1 D7ES

Coordinated by

  • Tag1 D7ES